Bogus Apps Litter Android With Malware

Android is quickly becoming the victim of its own popularity. The most widely used mobile OS on the planet also is the biggest target for mobile malware. "What's happening is the bad guys are downloading good applications, like Angry Birds, and republishing them under similar names with trojans and malware in them," said Trend Micro CTO Raimund Genes.

By John P. Mello Jr.
10/22/12 5:00 AM PT

Android is one of the most popular mobile operating systems in the world. As a result, it's also one of the most popular mobile operating systems to be targeted by malware writers.

Malware aimed at Google's Android platform increased sixfold during the quarter that ended in September, according to a report released Monday by
Trend Micro.

"What had been around 30,000 malicious and potentially dangerous or high-risk Android apps in June increased to almost 175,000 between July and September," Trend Micro reported in its third-quarter Security Roundup.

By far, the most prevalent way to deliver malware to Android handsets is through fake versions of legitimate apps. "What's happening is the bad guys are downloading good applications, like Angry Birds, and republishing them under similar names with trojans and malware in them," Trend Micro CTO Raimund Genes told TechNewsWorld.

Adware Rising

Researchers also found an increase in aggressive Android adware that pushes the boundaries of advertising.

"Most mobile adware are simply a business model used to pay for an app offered for free or at low costs to users. But we also identified several adware that pose serious privacy-related threats," according to the report

"Apps that access your call history without informing you via an end-user license agreement (EULA) or their user interface (UI) constitute malicious behavior from a security perspective," the report adds.

The report also identifies the top spam-sending countries in the world. Saudi Arabia (21 percent) is at the top of the list, followed by India (18 percent), Turkey and the United States (7 percent), Peru (4 percent) and Brazil (3 percent).

In the future, Africa will become a leading source of spam, Genes predicted. "In certain parts of Africa, you now have reliable bandwidth and high throughput without any laws against spam," he explained.

Door Opened for Breach Lawsuits

Victims of data breaches may find it easier to pursue lawsuits against companies holding their data under a recent decision handed down by a federal court of appeals in Florida.

In the case, Resnick v. AvMed, the court made it harder to summarily dismiss lawsuits seeking damages for consumers victimized by data breaches by lowering the bar for showing a causal link between a data breach and identity theft.

"That's very important because if a data breach class-action lawsuit survives the dismissal stage, it generally means the defendant has to defend the case through at least the class certification stage,"
Bradley Arant Boult Cummings attorney Michael Pennington told TechNewsWorld.

That increases the pressure on a defendant to settle the case, he maintained. "A class certification hearing in federal court is a very risky proposition for a defendant," he said. "The publicity that attends these types of class actions is not very desirable."

In the Resnick case, two laptops containing confidential information were stolen from AvMed. Fourteen months later, two victims of the theft discovered their identities had been stolen. In the past, courts wouldn't have considered the connection between theft of the laptops and the theft of the identities strong enough to warrant a lawsuit, according to Pennington.

"Simply because AvMed had a data breach really proves nothing about whether the identity thieves got the data they used from AvMed," he argued. "That type of information is available from any number of sources."

However, in its decision, the court found that Resnick had "pled sufficient facts to allow for a plausible inference that AvMed's failures in securing their data resulted in their identities being stolen."

"They have shown a sufficient nexus between the data breach and the identity theft beyond allegations of time and sequence," it added.

Survey Roundup

Some 84 percent of Americans say they obey the rules for creating strong passwords, according to a survey released last week by
Eset.

The study also showed that a greater percentage (89 percent) of adults over 55 years old said they used a combination of numbers, letters and symbols when they created their passwords than younger adults (77 percent), those in the 18- to 34-year-old group.

The fact that young adults aren't as security conscious as their older peers is important, according to Eset Security Evangelist Stephen Cobb. "It's significant because these are people in the workforce using computers at work at home exposing themselves unnecessarily to risk," he told TechNewsWorld.

He maintained that one reason workers create poor passwords is they lack security training. A recent Eset survey showed that only 10 percent of the respondents had received such training. "If you've got a workforce where only one out of 10 people is getting any up-to-date security training, then that should raise a red flag," he said.

In other surveys news, eleven, a German e-mail security firm, found that in September alone e-mails containing malware increased 119 percent. It also reported that email containing links to drive-by malware websites increased by a factor of 80 in September and that 9.5 percent of all spam contains such links. Overall, spam volumes dropped in the September quarter, 72 percent to 82.9 percent.

A survey of British consumers released last week by security firm Sophos revealed that 42 percent of devices lost or left in non-secure places had no active security measures on them to protect them. It also found that 20 percent of lost devices contained work mail that could potentially expose confidential corporate information.

Breach Diary

Oct. 12: University of Georgia
begins notifying more than 8,500 current and former employees that their personnel records were accessed in a "criminal act of computer trespass." Information in the records included names and Social Security numbers. The university said that the intrusion appears to have been planned by someone who knew where sensitive information was stored on the system.

Oct. 13: U.S. Army
announces it will provide one year of credit-monitoring services to 31 holders of the Medal of Honor or Distinguished Service Cross or their families after their Social Security numbers were accidentally posted to the Internet last month.

Oct. 16: New Hampshire attorney general
reports that a breach at TD Bank could affect 43,750 residents of the Granite State. The bank has been notifying some 260,000 of its customers from Maine to Florida about the breach that occurred in March when some encrypted backup data tapes were misplaced in transit.

Oct. 16: Several Minnesota municipalities
announce settlement of $665,000 with former police officer, Anne Rasmusson, who filed a lawsuit against the cities and towns in which she alleged that more than 140 police officers accessed her driver's license file without any official purpose.

Oct. 17: UK Information Commissioner's Office
fines Greater Manchester police department $192,024 for failing to adequately protect the data on a USB stick stolen from the home of one of its officers. The stick contained personal details of 1,075 people helping the police in serious crime investigations.

Oct. 18: A UK housing Association, the Network Housing Group,
discloses it has launched an internal investigation into the accidental e-mailing to some 300 staff of a spreadsheet containing information on its employees' sexuality, ethnicity and disability status.